From: Matt Caswell Date: Wed, 21 Jan 2015 11:09:58 +0000 (+0000) Subject: indent has problems with comments that are on the right hand side of a line. X-Git-Tag: OpenSSL_1_0_0-post-reformat~26 X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=e16db4b3d75e9e3ea4dccdd5df65e75e62a320c3 indent has problems with comments that are on the right hand side of a line. Sometimes it fails to format them very well, and sometimes it corrupts them! This commit moves some particularly problematic ones. Conflicts: crypto/bn/bn.h crypto/ec/ec_lcl.h crypto/rsa/rsa.h demos/engines/ibmca/hw_ibmca.c ssl/ssl.h ssl/ssl3.h Conflicts: crypto/ec/ec_lcl.h ssl/tls1.h Conflicts: crypto/ec/ecp_nistp224.c crypto/evp/evp.h ssl/d1_both.c ssl/ssl.h ssl/ssl_lib.c Reviewed-by: Tim Hudson --- diff --git a/apps/s_client.c b/apps/s_client.c index f3a11c3610..f9d389ddc7 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -1679,7 +1679,9 @@ static void print_stuff(BIO *bio, SSL *s, int full) if (peer != NULL) { BIO_printf(bio,"Server certificate\n"); - if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */ + + /* Redundant if we showed the whole chain */ + if (!(c_showcerts && got_a_chain)) PEM_write_bio_X509(bio,peer); X509_NAME_oneline(X509_get_subject_name(peer), buf,sizeof buf); diff --git a/crypto/asn1/a_utctm.c b/crypto/asn1/a_utctm.c index 12776e304b..a649427089 100644 --- a/crypto/asn1/a_utctm.c +++ b/crypto/asn1/a_utctm.c @@ -315,13 +315,16 @@ time_t ASN1_UTCTIME_get(const ASN1_UTCTIME *s) } #undef g2 - return mktime(&tm)-offset*60; /* FIXME: mktime assumes the current timezone - * instead of UTC, and unless we rewrite OpenSSL - * in Lisp we cannot locally change the timezone - * without possibly interfering with other parts - * of the program. timegm, which uses UTC, is - * non-standard. - * Also time_t is inappropriate for general - * UTC times because it may a 32 bit type. */ + /* + * FIXME: mktime assumes the current timezone + * instead of UTC, and unless we rewrite OpenSSL + * in Lisp we cannot locally change the timezone + * without possibly interfering with other parts + * of the program. timegm, which uses UTC, is + * non-standard. + * Also time_t is inappropriate for general + * UTC times because it may a 32 bit type. + */ + return mktime(&tm)-offset*60; } #endif diff --git a/crypto/bio/bss_file.c b/crypto/bio/bss_file.c index d84c992f6e..b4b7c21d66 100644 --- a/crypto/bio/bss_file.c +++ b/crypto/bio/bss_file.c @@ -153,9 +153,14 @@ BIO *BIO_new_file(const char *filename, const char *mode) wmode,sizeof(wmode)/sizeof(wmode[0])) && (file=_wfopen(wfilename,wmode))==NULL && (errno==ENOENT || errno==EBADF) - ) /* UTF-8 decode succeeded, but no file, filename - * could still have been locale-ized... */ + ) + { + /* + * UTF-8 decode succeeded, but no file, filename + * could still have been locale-ized... + */ file = fopen(filename,mode); + } } else if (GetLastError()==ERROR_NO_UNICODE_TRANSLATION) { diff --git a/crypto/bio/bss_log.c b/crypto/bio/bss_log.c index 2227b2b52d..eb50668642 100644 --- a/crypto/bio/bss_log.c +++ b/crypto/bio/bss_log.c @@ -276,8 +276,11 @@ static void xsyslog(BIO *bp, int priority, const char *string) case LOG_DEBUG: evtype = EVENTLOG_INFORMATION_TYPE; break; - default: /* Should never happen, but set it - as error anyway. */ + default: + /* + * Should never happen, but set it + * as error anyway. + */ evtype = EVENTLOG_ERROR_TYPE; break; } diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h index be1b437504..daef72bcce 100644 --- a/crypto/bn/bn.h +++ b/crypto/bn/bn.h @@ -275,16 +275,22 @@ extern "C" { #define BN_FLG_MALLOCED 0x01 #define BN_FLG_STATIC_DATA 0x02 -#define BN_FLG_CONSTTIME 0x04 /* avoid leaking exponent information through timing, - * BN_mod_exp_mont() will call BN_mod_exp_mont_consttime, - * BN_div() will call BN_div_no_branch, - * BN_mod_inverse() will call BN_mod_inverse_no_branch. - */ -#ifndef OPENSSL_NO_DEPRECATED -#define BN_FLG_EXP_CONSTTIME BN_FLG_CONSTTIME /* deprecated name for the flag */ - /* avoid leaking exponent information through timings - * (BN_mod_exp_mont() will call BN_mod_exp_mont_consttime) */ +/* + * avoid leaking exponent information through timing, + * BN_mod_exp_mont() will call BN_mod_exp_mont_consttime, + * BN_div() will call BN_div_no_branch, + * BN_mod_inverse() will call BN_mod_inverse_no_branch. + */ +#define BN_FLG_CONSTTIME 0x04 + +#ifdef OPENSSL_NO_DEPRECATED +/* deprecated name for the flag */ +#define BN_FLG_EXP_CONSTTIME BN_FLG_CONSTTIME +/* + * avoid leaking exponent information through timings + * (BN_mod_exp_mont() will call BN_mod_exp_mont_consttime) + */ #endif #ifndef OPENSSL_NO_DEPRECATED diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index 78a599fcf7..6b7f57d8e5 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -374,9 +374,12 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words) case 3: A[2]=B[2]; case 2: A[1]=B[1]; case 1: A[0]=B[0]; - case 0: /* workaround for ultrix cc: without 'case 0', the optimizer does - * the switch table by doing a=top&3; a--; goto jump_table[a]; - * which fails for top== 0 */ + case 0: + /* + * workaround for ultrix cc: without 'case 0', the optimizer does + * the switch table by doing a=top&3; a--; goto jump_table[a]; + * which fails for top== 0 + */ ; } } diff --git a/crypto/des/read_pwd.c b/crypto/des/read_pwd.c index ce5fa00a37..5c82e2fdc1 100644 --- a/crypto/des/read_pwd.c +++ b/crypto/des/read_pwd.c @@ -75,7 +75,8 @@ #endif #endif -/* #define SIGACTION */ /* Define this if you have sigaction() */ +/* Define this if you have sigaction() */ +/* #define SIGACTION */ #ifdef WIN16TTY #undef OPENSSL_SYS_WIN16 diff --git a/crypto/dh/dh.h b/crypto/dh/dh.h index 0f2cd13124..8f37c9ef57 100644 --- a/crypto/dh/dh.h +++ b/crypto/dh/dh.h @@ -78,13 +78,16 @@ #endif #define DH_FLAG_CACHE_MONT_P 0x01 -#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH - * implementation now uses constant time - * modular exponentiation for secret exponents - * by default. This flag causes the - * faster variable sliding window method to - * be used for all exponents. - */ + +/* + * new with 0.9.7h; the built-in DH + * implementation now uses constant time + * modular exponentiation for secret exponents + * by default. This flag causes the + * faster variable sliding window method to + * be used for all exponents. + */ +#define DH_FLAG_NO_EXP_CONSTTIME 0x02 #ifdef __cplusplus extern "C" { diff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_lcl.h index e6f5ffa45a..54cd1b3301 100644 --- a/crypto/ec/ec_lcl.h +++ b/crypto/ec/ec_lcl.h @@ -200,37 +200,44 @@ struct ec_group_st { /* The following members are handled by the method functions, * even if they appear generic */ - BIGNUM field; /* Field specification. - * For curves over GF(p), this is the modulus; - * for curves over GF(2^m), this is the - * irreducible polynomial defining the field. - */ - - int poly[6]; /* Field specification for curves over GF(2^m). - * The irreducible f(t) is then of the form: - * t^poly[0] + t^poly[1] + ... + t^poly[k] - * where m = poly[0] > poly[1] > ... > poly[k] = 0. - * The array is terminated with poly[k+1]=-1. - * All elliptic curve irreducibles have at most 5 - * non-zero terms. - */ - - BIGNUM a, b; /* Curve coefficients. - * (Here the assumption is that BIGNUMs can be used - * or abused for all kinds of fields, not just GF(p).) - * For characteristic > 3, the curve is defined - * by a Weierstrass equation of the form - * y^2 = x^3 + a*x + b. - * For characteristic 2, the curve is defined by - * an equation of the form - * y^2 + x*y = x^3 + a*x^2 + b. - */ - - int a_is_minus3; /* enable optimized point arithmetics for special case */ - - void *field_data1; /* method-specific (e.g., Montgomery structure) */ - void *field_data2; /* method-specific */ - int (*field_mod_func)(BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); /* method-specific */ + /* Field specification. + * For curves over GF(p), this is the modulus; + * for curves over GF(2^m), this is the + * irreducible polynomial defining the field. + */ + BIGNUM field; + + /* Field specification for curves over GF(2^m). + * The irreducible f(t) is then of the form: + * t^poly[0] + t^poly[1] + ... + t^poly[k] + * where m = poly[0] > poly[1] > ... > poly[k] = 0. + * The array is terminated with poly[k+1]=-1. + * All elliptic curve irreducibles have at most 5 + * non-zero terms. + */ + int poly[6]; + + /* Curve coefficients. + * (Here the assumption is that BIGNUMs can be used + * or abused for all kinds of fields, not just GF(p).) + * For characteristic > 3, the curve is defined + * by a Weierstrass equation of the form + * y^2 = x^3 + a*x + b. + * For characteristic 2, the curve is defined by + * an equation of the form + * y^2 + x*y = x^3 + a*x^2 + b. + */ + BIGNUM a, b; + + /* enable optimized point arithmetics for special case */ + int a_is_minus3; + + /* method-specific (e.g., Montgomery structure) */ + void *field_data1; + /* method-specific */ + void *field_data2; + /* method-specific */ + int (*field_mod_func)(BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); } /* EC_GROUP */; struct ec_key_st { diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h index 1858d5a68b..2534456eb6 100644 --- a/crypto/evp/evp.h +++ b/crypto/evp/evp.h @@ -188,13 +188,16 @@ typedef int evp_verify_method(int type,const unsigned char *m, unsigned int m_length,const unsigned char *sigbuf, unsigned int siglen, void *key); -#define EVP_MD_FLAG_ONESHOT 0x0001 /* digest can only handle a single - * block */ - -#define EVP_MD_FLAG_PKEY_DIGEST 0x0002 /* digest is a "clone" digest used - * which is a copy of an existing - * one for a specific public key type. - * EVP_dss1() etc */ +/* digest can only handle a single block */ +#define EVP_MD_FLAG_ONESHOT 0x0001 + +/* + * digest is a "clone" digest used + * which is a copy of an existing + * one for a specific public key type. + * EVP_dss1() etc + */ +#define EVP_MD_FLAG_PKEY_DIGEST 0x0002 /* Digest uses EVP_PKEY_METHOD for signing instead of MD specific signing */ @@ -301,19 +304,39 @@ struct evp_cipher_st { int nid; int block_size; - int key_len; /* Default value for variable length ciphers */ + + /* Default value for variable length ciphers */ + int key_len; int iv_len; - unsigned long flags; /* Various flags */ + + /* Various flags */ + unsigned long flags; + + /* init key */ int (*init)(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc); /* init key */ + const unsigned char *iv, int enc); + + /* encrypt/decrypt data */ int (*do_cipher)(EVP_CIPHER_CTX *ctx, unsigned char *out, - const unsigned char *in, size_t inl);/* encrypt/decrypt data */ - int (*cleanup)(EVP_CIPHER_CTX *); /* cleanup ctx */ - int ctx_size; /* how big ctx->cipher_data needs to be */ - int (*set_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *); /* Populate a ASN1_TYPE with parameters */ - int (*get_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *); /* Get parameters from a ASN1_TYPE */ - int (*ctrl)(EVP_CIPHER_CTX *, int type, int arg, void *ptr); /* Miscellaneous operations */ - void *app_data; /* Application data */ + const unsigned char *in, size_t inl); + + /* cleanup ctx */ + int (*cleanup)(EVP_CIPHER_CTX *); + + /* how big ctx->cipher_data needs to be */ + int ctx_size; + + /* Populate a ASN1_TYPE with parameters */ + int (*set_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *); + + /* Get parameters from a ASN1_TYPE */ + int (*get_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *); + + /* Miscellaneous operations */ + int (*ctrl)(EVP_CIPHER_CTX *, int type, int arg, void *ptr); + + /* Application data */ + void *app_data; } /* EVP_CIPHER */; /* Values for cipher flags */ @@ -388,14 +411,22 @@ struct evp_cipher_ctx_st typedef struct evp_Encode_Ctx_st { - int num; /* number saved in a partial encode/decode */ - int length; /* The length is either the output line length - * (in input bytes) or the shortest input line - * length that is ok. Once decoding begins, - * the length is adjusted up each time a longer - * line is decoded */ - unsigned char enc_data[80]; /* data to encode */ - int line_num; /* number read on current line */ + /* number saved in a partial encode/decode */ + int num; + + /* The length is either the output line length + * (in input bytes) or the shortest input line + * length that is ok. Once decoding begins, + * the length is adjusted up each time a longer + * line is decoded + */ + int length; + + /* data to encode */ + unsigned char enc_data[80]; + + /* number read on current line */ + int line_num; int expect_nl; } EVP_ENCODE_CTX; diff --git a/crypto/rand/rand_win.c b/crypto/rand/rand_win.c index 30778d183c..6ec7097885 100644 --- a/crypto/rand/rand_win.c +++ b/crypto/rand/rand_win.c @@ -177,12 +177,13 @@ typedef BOOL (WINAPI *MODULE32)(HANDLE, LPMODULEENTRY32); #include #include -#if 1 /* The NET API is Unicode only. It requires the use of the UNICODE - * macro. When UNICODE is defined LPTSTR becomes LPWSTR. LMSTR was - * was added to the Platform SDK to allow the NET API to be used in - * non-Unicode applications provided that Unicode strings were still - * used for input. LMSTR is defined as LPWSTR. - */ +#if 1 +/* The NET API is Unicode only. It requires the use of the UNICODE + * macro. When UNICODE is defined LPTSTR becomes LPWSTR. LMSTR was + * was added to the Platform SDK to allow the NET API to be used in + * non-Unicode applications provided that Unicode strings were still + * used for input. LMSTR is defined as LPWSTR. + */ typedef NET_API_STATUS (NET_API_FUNCTION * NETSTATGET) (LPWSTR, LPWSTR, DWORD, DWORD, LPBYTE*); typedef NET_API_STATUS (NET_API_FUNCTION * NETFREE)(LPBYTE); diff --git a/crypto/rsa/rsa.h b/crypto/rsa/rsa.h index 66f46263e3..8bcfc1ee20 100644 --- a/crypto/rsa/rsa.h +++ b/crypto/rsa/rsa.h @@ -168,7 +168,9 @@ struct rsa_st # define OPENSSL_RSA_SMALL_MODULUS_BITS 3072 #endif #ifndef OPENSSL_RSA_MAX_PUBEXP_BITS -# define OPENSSL_RSA_MAX_PUBEXP_BITS 64 /* exponent limit enforced for "large" modulus only */ + +/* exponent limit enforced for "large" modulus only */ +# define OPENSSL_RSA_MAX_PUBEXP_BITS 64 #endif #define RSA_3 0x3L @@ -191,30 +193,36 @@ struct rsa_st */ #define RSA_FLAG_SIGN_VER 0x0040 -#define RSA_FLAG_NO_BLINDING 0x0080 /* new with 0.9.6j and 0.9.7b; the built-in - * RSA implementation now uses blinding by - * default (ignoring RSA_FLAG_BLINDING), - * but other engines might not need it - */ -#define RSA_FLAG_NO_CONSTTIME 0x0100 /* new with 0.9.8f; the built-in RSA - * implementation now uses constant time - * operations by default in private key operations, - * e.g., constant time modular exponentiation, - * modular inverse without leaking branches, - * division without leaking branches. This - * flag disables these constant time - * operations and results in faster RSA - * private key operations. - */ -#ifndef OPENSSL_NO_DEPRECATED -#define RSA_FLAG_NO_EXP_CONSTTIME RSA_FLAG_NO_CONSTTIME /* deprecated name for the flag*/ - /* new with 0.9.7h; the built-in RSA - * implementation now uses constant time - * modular exponentiation for secret exponents - * by default. This flag causes the - * faster variable sliding window method to - * be used for all exponents. - */ +/* + * new with 0.9.6j and 0.9.7b; the built-in + * RSA implementation now uses blinding by + * default (ignoring RSA_FLAG_BLINDING), + * but other engines might not need it + */ +#define RSA_FLAG_NO_BLINDING 0x0080 +/* + * new with 0.9.8f; the built-in RSA + * implementation now uses constant time + * operations by default in private key operations, + * e.g., constant time modular exponentiation, + * modular inverse without leaking branches, + * division without leaking branches. This + * flag disables these constant time + * operations and results in faster RSA + * private key operations. + */ +#define RSA_FLAG_NO_CONSTTIME 0x0100 +#ifdef OPENSSL_USE_DEPRECATED +/* deprecated name for the flag*/ +/* + * new with 0.9.7h; the built-in RSA + * implementation now uses constant time + * modular exponentiation for secret exponents + * by default. This flag causes the + * faster variable sliding window method to + * be used for all exponents. + */ +#define RSA_FLAG_NO_EXP_CONSTTIME RSA_FLAG_NO_CONSTTIME #endif diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c index 56880dc138..aeab6cfcc3 100644 --- a/crypto/rsa/rsa_eay.c +++ b/crypto/rsa/rsa_eay.c @@ -285,11 +285,12 @@ static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) { /* resort to rsa->mt_blinding instead */ - *local = 0; /* instructs rsa_blinding_convert(), rsa_blinding_invert() - * that the BN_BLINDING is shared, meaning that accesses - * require locks, and that the blinding factor must be - * stored outside the BN_BLINDING - */ + /* instructs rsa_blinding_convert(), rsa_blinding_invert() + * that the BN_BLINDING is shared, meaning that accesses + * require locks, and that the blinding factor must be + * stored outside the BN_BLINDING + */ + *local = 0; if (rsa->mt_blinding == NULL) { diff --git a/crypto/sha/sha.h b/crypto/sha/sha.h index d78999b013..50978f49cf 100644 --- a/crypto/sha/sha.h +++ b/crypto/sha/sha.h @@ -155,9 +155,12 @@ void SHA256_Transform(SHA256_CTX *c, const unsigned char *data); * being exactly 64-bit wide. See Implementation Notes in sha512.c * for further details. */ -#define SHA512_CBLOCK (SHA_LBLOCK*8) /* SHA-512 treats input data as a - * contiguous array of 64 bit - * wide big-endian values. */ +/* + * SHA-512 treats input data as a + * contiguous array of 64 bit + * wide big-endian values. + */ +#define SHA512_CBLOCK (SHA_LBLOCK*8) #if (defined(_WIN32) || defined(_WIN64)) && !defined(__MINGW32__) #define SHA_LONG64 unsigned __int64 #define U64(C) C##UI64 diff --git a/crypto/stack/safestack.h b/crypto/stack/safestack.h index 1ddc79f7ea..f062b1e240 100644 --- a/crypto/stack/safestack.h +++ b/crypto/stack/safestack.h @@ -94,7 +94,8 @@ STACK_OF(type) \ _STACK stack; \ }; -#define IMPLEMENT_STACK_OF(type) /* nada (obsolete in new safestack approach)*/ +/* nada (obsolete in new safestack approach)*/ +#define IMPLEMENT_STACK_OF(type) /*- diff --git a/crypto/store/str_mem.c b/crypto/store/str_mem.c index 8ac4f7e55c..021d828325 100644 --- a/crypto/store/str_mem.c +++ b/crypto/store/str_mem.c @@ -86,25 +86,38 @@ typedef struct mem_object_data_st DECLARE_STACK_OF(MEM_OBJECT_DATA) struct mem_data_st { - STACK_OF(MEM_OBJECT_DATA) *data; /* sorted with - * STORE_ATTR_INFO_compare(). */ - unsigned int compute_components : 1; /* Currently unused, but can - be used to add attributes - from parts of the data. */ + /* + * sorted with + * STORE_ATTR_INFO_compare(). + */ + STACK_OF(MEM_OBJECT_DATA) *data; + /* + * Currently unused, but can + * be used to add attributes + * from parts of the data. + */ + unsigned int compute_components : 1; }; DECLARE_STACK_OF(STORE_ATTR_INFO) struct mem_ctx_st { - int type; /* The type we're searching for */ - STACK_OF(STORE_ATTR_INFO) *search_attributes; /* Sets of - attributes to search for. Each - element is a STORE_ATTR_INFO. */ - int search_index; /* which of the search attributes we - found a match for, -1 when we still - haven't found any */ - int index; /* -1 as long as we're searching for - the first */ + /* The type we're searching for */ + int type; + /* + * Sets of + * attributes to search for. Each + * element is a STORE_ATTR_INFO. + */ + STACK_OF(STORE_ATTR_INFO) *search_attributes; + /* + * which of the search attributes we + * found a match for, -1 when we still + * haven't found any + */ + int search_index; + /* -1 as long as we're searching for the first */ + int index; }; static int mem_init(STORE *s); diff --git a/crypto/whrlpool/wp_block.c b/crypto/whrlpool/wp_block.c index 221f6cc59f..0a401ee648 100644 --- a/crypto/whrlpool/wp_block.c +++ b/crypto/whrlpool/wp_block.c @@ -64,8 +64,11 @@ typedef unsigned long long u64; # define SMALL_REGISTER_BANK # if defined(WHIRLPOOL_ASM) # ifndef OPENSSL_SMALL_FOOTPRINT -# define OPENSSL_SMALL_FOOTPRINT /* it appears that for elder non-MMX - CPUs this is actually faster! */ +/* + * it appears that for elder non-MMX + * CPUs this is actually faster! + */ +# define OPENSSL_SMALL_FOOTPRINT # endif # define GO_FOR_MMX(ctx,inp,num) do { \ extern unsigned long OPENSSL_ia32cap_P; \ diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index 026e174e1a..d6eb3f3b3c 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -192,14 +192,22 @@ struct x509_store_st X509_VERIFY_PARAM *param; /* Callbacks for various operations */ - int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */ - int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */ - int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */ - int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */ - int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */ - int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */ - int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */ - int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */ + /* called to verify a certificate */ + int (*verify)(X509_STORE_CTX *ctx); + /* error callback */ + int (*verify_cb)(int ok,X509_STORE_CTX *ctx); + /* get issuers cert from ctx */ + int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); + /* check issued */ + int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); + /* Check revocation status of chain */ + int (*check_revocation)(X509_STORE_CTX *ctx); + /* retrieve CRL */ + int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); + /* Check CRL validity */ + int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); + /* Check certificate against CRL */ + int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm); STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm); int (*cleanup)(X509_STORE_CTX *ctx); @@ -230,49 +238,72 @@ struct x509_lookup_st struct x509_store_ctx_st /* X509_STORE_CTX */ { X509_STORE *ctx; - int current_method; /* used when looking up certs */ + /* used when looking up certs */ + int current_method; /* The following are set by the caller */ - X509 *cert; /* The cert to check */ - STACK_OF(X509) *untrusted; /* chain of X509s - untrusted - passed in */ - STACK_OF(X509_CRL) *crls; /* set of CRLs passed in */ + /* The cert to check */ + X509 *cert; + /* chain of X509s - untrusted - passed in */ + STACK_OF(X509) *untrusted; + /* set of CRLs passed in */ + STACK_OF(X509_CRL) *crls; X509_VERIFY_PARAM *param; - void *other_ctx; /* Other info for use with get_issuer() */ + /* Other info for use with get_issuer() */ + void *other_ctx; /* Callbacks for various operations */ - int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */ - int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */ - int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */ - int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */ - int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */ - int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */ - int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */ - int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */ + /* called to verify a certificate */ + int (*verify)(X509_STORE_CTX *ctx); + /* error callback */ + int (*verify_cb)(int ok,X509_STORE_CTX *ctx); + /* get issuers cert from ctx */ + int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); + /* check issued */ + int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); + /* Check revocation status of chain */ + int (*check_revocation)(X509_STORE_CTX *ctx); + /* retrieve CRL */ + int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); + /* Check CRL validity */ + int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); + /* Check certificate against CRL */ + int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); int (*check_policy)(X509_STORE_CTX *ctx); STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm); STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm); int (*cleanup)(X509_STORE_CTX *ctx); /* The following is built up */ - int valid; /* if 0, rebuild chain */ - int last_untrusted; /* index of last untrusted cert */ - STACK_OF(X509) *chain; /* chain of X509s - built up and trusted */ - X509_POLICY_TREE *tree; /* Valid policy tree */ - - int explicit_policy; /* Require explicit policy value */ + /* if 0, rebuild chain */ + int valid; + /* index of last untrusted cert */ + int last_untrusted; + /* chain of X509s - built up and trusted */ + STACK_OF(X509) *chain; + /* Valid policy tree */ + X509_POLICY_TREE *tree; + + /* Require explicit policy value */ + int explicit_policy; /* When something goes wrong, this is why */ int error_depth; int error; X509 *current_cert; - X509 *current_issuer; /* cert currently being tested as valid issuer */ - X509_CRL *current_crl; /* current CRL */ - - int current_crl_score; /* score of current CRL */ - unsigned int current_reasons; /* Reason mask */ - - X509_STORE_CTX *parent; /* For CRL path validation: parent context */ + /* cert currently being tested as valid issuer */ + X509 *current_issuer; + /* current CRL */ + X509_CRL *current_crl; + + /* score of current CRL */ + int current_crl_score; + /* Reason mask */ + unsigned int current_reasons; + + /* For CRL path validation: parent context */ + X509_STORE_CTX *parent; CRYPTO_EX_DATA ex_data; } /* X509_STORE_CTX */; diff --git a/crypto/x509/x509type.c b/crypto/x509/x509type.c index 3385ad3f67..42366fcbed 100644 --- a/crypto/x509/x509type.c +++ b/crypto/x509/x509type.c @@ -116,8 +116,8 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey) break; } - if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look - for, not bytes */ + /* /8 because it's 1024 bits we look for, not bytes */ + if (EVP_PKEY_size(pk) <= 1024/8) ret|=EVP_PKT_EXP; if(pkey==NULL) EVP_PKEY_free(pk); return(ret); diff --git a/demos/easy_tls/easy-tls.c b/demos/easy_tls/easy-tls.c index b433036715..e6b9b865c8 100644 --- a/demos/easy_tls/easy-tls.c +++ b/demos/easy_tls/easy-tls.c @@ -708,7 +708,9 @@ tls_create_ctx(struct tls_create_ctx_args a, void *apparg) SSL_CTX_set_verify_depth(ret, a.verify_depth); if (a.ca_file != NULL) { - r = SSL_CTX_load_verify_locations(ret, a.ca_file, NULL /* no CA-directory */); /* does not report failure if file does not exist ... */ + /* does not report failure if file does not exist ... */ + /* NULL argument means no CA-directory */ + r = SSL_CTX_load_verify_locations(ret, a.ca_file, NULL); if (!r) { err_pref_1 = " while processing certificate file "; err_pref_2 = a.ca_file; diff --git a/demos/engines/ibmca/hw_ibmca.c b/demos/engines/ibmca/hw_ibmca.c index 0c2c39b8a7..fa690a2286 100644 --- a/demos/engines/ibmca/hw_ibmca.c +++ b/demos/engines/ibmca/hw_ibmca.c @@ -917,4 +917,4 @@ IMPLEMENT_DYNAMIC_BIND_FN(bind_fn) #endif /* !OPENSSL_NO_HW_IBMCA */ -#endif /* !OPENSSL_NO_HW */ +#endif /* !OPENSSL_NO_HW */ diff --git a/ms/applink.c b/ms/applink.c index 54a0a64262..76f1c40d0a 100644 --- a/ms/applink.c +++ b/ms/applink.c @@ -46,9 +46,12 @@ extern "C" { __declspec(dllexport) void ** #if defined(__BORLANDC__) -__stdcall /* __stdcall appears to be the only way to get the name - * decoration right with Borland C. Otherwise it works - * purely incidentally, as we pass no parameters. */ +/* + * __stdcall appears to be the only way to get the name + * decoration right with Borland C. Otherwise it works + * purely incidentally, as we pass no parameters. + */ +__stdcall #else __cdecl #endif diff --git a/ssl/d1_both.c b/ssl/d1_both.c index 2f5b63d61d..18d47e7839 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -476,10 +476,15 @@ long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) again: i = dtls1_get_message_fragment(s, st1, stn, max, ok); if ( i == DTLS1_HM_BAD_FRAGMENT || - i == DTLS1_HM_FRAGMENT_RETRY) /* bad fragment received */ + i == DTLS1_HM_FRAGMENT_RETRY) + { + /* bad fragment received */ goto again; + } else if ( i <= 0 && !*ok) + { return i; + } p = (unsigned char *)s->init_buf->data; msg_len = msg_hdr->msg_len; @@ -1150,7 +1155,8 @@ int dtls1_read_failed(SSL *s, int code) return code; } - if ( ! SSL_in_init(s)) /* done, no need to send a retransmit */ + /* done, no need to send a retransmit */ + if ( ! SSL_in_init(s)) { BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ); return code; diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index bf4e44704f..96a3419355 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -335,8 +335,8 @@ dtls1_get_buffered_record(SSL *s) (((PQ_64BIT)s->d1->handshake_read_seq) << 32) | ((PQ_64BIT)s->d1->r_msg_hdr.frag_off); - if ( ! SSL_in_init(s)) /* if we're not (re)negotiating, - nothing buffered */ + /* if we're not (re)negotiating, nothing buffered */ + if ( ! SSL_in_init(s)) return 0; diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c index c040c6f82f..7637150bc0 100644 --- a/ssl/s23_srvr.c +++ b/ssl/s23_srvr.c @@ -233,19 +233,21 @@ end: int ssl23_get_client_hello(SSL *s) { - char buf_space[11]; /* Request this many bytes in initial read. - * We can detect SSL 3.0/TLS 1.0 Client Hellos - * ('type == 3') correctly only when the following - * is in a single record, which is not guaranteed by - * the protocol specification: - * Byte Content - * 0 type \ - * 1/2 version > record header - * 3/4 length / - * 5 msg_type \ - * 6-8 length > Client Hello message - * 9/10 client_version / - */ + /*- + * Request this many bytes in initial read. + * We can detect SSL 3.0/TLS 1.0 Client Hellos + * ('type == 3') correctly only when the following + * is in a single record, which is not guaranteed by + * the protocol specification: + * Byte Content + * 0 type \ + * 1/2 version > record header + * 3/4 length / + * 5 msg_type \ + * 6-8 length > Client Hello message + * 9/10 client_version / + */ + char buf_space[11]; char *buf= &(buf_space[0]); unsigned char *p,*d,*d_len,*dd; unsigned int i; diff --git a/ssl/s3_both.c b/ssl/s3_both.c index 412d095d60..26a4e810f0 100644 --- a/ssl/s3_both.c +++ b/ssl/s3_both.c @@ -212,11 +212,12 @@ int ssl3_get_finished(SSL *s, int a, int b) * change cipher spec message and is in s->s3->tmp.peer_finish_md */ + /* 64 argument should actually be 36+4 :-) */ n=s->method->ssl_get_message(s, a, b, SSL3_MT_FINISHED, - 64, /* should actually be 36+4 :-) */ + 64, &ok); if (!ok) return((int)n); diff --git a/ssl/ssl.h b/ssl/ssl.h index bba674b130..74cd85c3a9 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -819,7 +819,8 @@ struct ssl_ctx_st int verify_mode; unsigned int sid_ctx_length; unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; - int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */ + /* called 'verify_callback' in the SSL */ + int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); /* Default generate session ID callback. */ GEN_SESSION_CB generate_session_id; @@ -984,22 +985,28 @@ struct ssl_st * (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION, DTLS1_VERSION) */ int version; - int type; /* SSL_ST_CONNECT or SSL_ST_ACCEPT */ + /* SSL_ST_CONNECT or SSL_ST_ACCEPT */ + int type; - const SSL_METHOD *method; /* SSLv3 */ + /* SSLv3 */ + const SSL_METHOD *method; /* There are 2 BIO's even though they are normally both the * same. This is so data can be read and written to different * handlers */ #ifndef OPENSSL_NO_BIO - BIO *rbio; /* used by SSL_read */ - BIO *wbio; /* used by SSL_write */ - BIO *bbio; /* used during session-id reuse to concatenate - * messages */ + /* used by SSL_read */ + BIO *rbio; + /* used by SSL_write */ + BIO *wbio; + /* used during session-id reuse to concatenate messages */ + BIO *bbio; #else - char *rbio; /* used by SSL_read */ - char *wbio; /* used by SSL_write */ + /* used by SSL_read */ + char *rbio; + /* used by SSL_write */ + char *wbio; char *bbio; #endif /* This holds a variable that indicates what we were doing @@ -1020,19 +1027,26 @@ struct ssl_st * test instead of an "init" member. */ - int server; /* are we the server side? - mostly used by SSL_clear*/ + /* are we the server side? - mostly used by SSL_clear*/ + int server; - int new_session;/* 1 if we are to use a new session. - * 2 if we are a server and are inside a handshake - * (i.e. not just sending a HelloRequest) - * NB: For servers, the 'new' session may actually be a previously - * cached session or even the previous session unless - * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */ - int quiet_shutdown;/* don't send shutdown packets */ - int shutdown; /* we have shut things down, 0x01 sent, 0x02 - * for received */ - int state; /* where we are */ - int rstate; /* where we are when reading */ + /* + * 1 if we are to use a new session. + * 2 if we are a server and are inside a handshake + * (i.e. not just sending a HelloRequest) + * NB: For servers, the 'new' session may actually be a previously + * cached session or even the previous session unless + * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set + */ + int new_session; + /* don't send shutdown packets */ + int quiet_shutdown; + /* we have shut things down, 0x01 sent, 0x02 for received */ + int shutdown; + /* where we are */ + int state; + /* where we are when reading */ + int rstate; BUF_MEM *init_buf; /* buffer used during init */ void *init_msg; /* pointer to handshake message body, set by ssl3_get_message() */ @@ -1104,17 +1118,25 @@ struct ssl_st GEN_SESSION_CB generate_session_id; /* Used in SSL2 and SSL3 */ - int verify_mode; /* 0 don't care about verify failure. - * 1 fail if verify fails */ - int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */ + /* + * 0 don't care about verify failure. + * 1 fail if verify fails + */ + int verify_mode; + /* fail if callback returns 0 */ + int (*verify_callback)(int ok,X509_STORE_CTX *ctx); - void (*info_callback)(const SSL *ssl,int type,int val); /* optional informational callback */ + /* optional informational callback */ + void (*info_callback)(const SSL *ssl,int type,int val); - int error; /* error bytes to be written */ - int error_code; /* actual code */ + /* error bytes to be written */ + int error; + /* actual code */ + int error_code; #ifndef OPENSSL_NO_KRB5 - KSSL_CTX *kssl_ctx; /* Kerberos 5 context */ + /* Kerberos 5 context */ + KSSL_CTX *kssl_ctx; #endif /* OPENSSL_NO_KRB5 */ #ifndef OPENSSL_NO_PSK @@ -1138,12 +1160,14 @@ struct ssl_st STACK_OF(X509_NAME) *client_CA; int references; - unsigned long options; /* protocol behaviour */ - unsigned long mode; /* API behaviour */ + /* protocol behaviour */ + unsigned long options; + /* API behaviour */ + unsigned long mode; long max_cert_list; int first_packet; - int client_version; /* what was passed, used for - * SSLv3/TLS rollback check */ + /* what was passed, used for SSLv3/TLS rollback check */ + int client_version; unsigned int max_send_fragment; #ifndef OPENSSL_NO_TLSEXT /* TLS extension debug callback */ @@ -1152,11 +1176,13 @@ struct ssl_st void *arg); void *tlsext_debug_arg; char *tlsext_hostname; - int servername_done; /* no further mod of servername - 0 : call the servername extension callback. - 1 : prepare 2, allow last ack just after in server callback. - 2 : don't call servername callback, no ack in server hello - */ + /*- + * no further mod of servername + * 0 : call the servername extension callback. + * 1 : prepare 2, allow last ack just after in server callback. + * 2 : don't call servername callback, no ack in server hello + */ + int servername_done; /* certificate status request info */ /* Status type or -1 if no status type */ int tlsext_status_type; @@ -1173,9 +1199,11 @@ struct ssl_st int tlsext_ticket_expected; #ifndef OPENSSL_NO_EC size_t tlsext_ecpointformatlist_length; - unsigned char *tlsext_ecpointformatlist; /* our list */ + /* our list */ + unsigned char *tlsext_ecpointformatlist; size_t tlsext_ellipticcurvelist_length; - unsigned char *tlsext_ellipticcurvelist; /* our list */ + /* our list */ + unsigned char *tlsext_ellipticcurvelist; #endif /* OPENSSL_NO_EC */ /* draft-rescorla-tls-opaque-prf-input-00.txt information to be used for handshakes */ diff --git a/ssl/ssl3.h b/ssl/ssl3.h index 263d16dcbd..392c0452ea 100644 --- a/ssl/ssl3.h +++ b/ssl/ssl3.h @@ -346,23 +346,34 @@ extern "C" { typedef struct ssl3_record_st { -/*r */ int type; /* type of record */ -/*rw*/ unsigned int length; /* How many bytes available */ -/*r */ unsigned int off; /* read/write offset into 'buf' */ -/*rw*/ unsigned char *data; /* pointer to the record data */ -/*rw*/ unsigned char *input; /* where the decode bytes are */ -/*r */ unsigned char *comp; /* only used with decompression - malloc()ed */ -/*r */ unsigned long epoch; /* epoch number, needed by DTLS1 */ -/*r */ unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */ + /* type of record */ +/*r */ int type; + /* How many bytes available */ +/*rw*/ unsigned int length; + /* read/write offset into 'buf' */ +/*r */ unsigned int off; + /* pointer to the record data */ +/*rw*/ unsigned char *data; + /* where the decode bytes are */ +/*rw*/ unsigned char *input; + /* only used with decompression - malloc()ed */ +/*r */ unsigned char *comp; + /* epoch number, needed by DTLS1 */ +/*r */ unsigned long epoch; + /* sequence number, needed by DTLS1 */ +/*r */ unsigned char seq_num[8]; } SSL3_RECORD; typedef struct ssl3_buffer_st { - unsigned char *buf; /* at least SSL3_RT_MAX_PACKET_SIZE bytes, - * see ssl3_setup_buffers() */ - size_t len; /* buffer size */ - int offset; /* where to 'copy from' */ - int left; /* how many bytes left */ + /* at least SSL3_RT_MAX_PACKET_SIZE bytes, see ssl3_setup_buffers() */ + unsigned char *buf; + /* buffer size */ + size_t len; + /* where to 'copy from' */ + int offset; + /* how many bytes left */ + int left; } SSL3_BUFFER; #define SSL3_CT_RSA_SIGN 1 diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 9b6df7a36e..8a429ba187 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -198,10 +198,15 @@ int SSL_clear(SSL *s) s->hit=0; s->shutdown=0; -#if 0 /* Disabled since version 1.10 of this file (early return not - * needed because SSL_clear is not called when doing renegotiation) */ - /* This is set if we are doing dynamic renegotiation so keep - * the old cipher. It is sort of a SSL_clear_lite :-) */ +#if 0 + /* + * Disabled since version 1.10 of this file (early return not + * needed because SSL_clear is not called when doing renegotiation) + */ + /* + * This is set if we are doing dynamic renegotiation so keep + * the old cipher. It is sort of a SSL_clear_lite :-) + */ if (s->new_session) return(1); #else if (s->new_session) diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index bb553aaefd..7ff5d32c9a 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -472,9 +472,12 @@ typedef struct cert_pkey_st typedef struct cert_st { /* Current active set */ - CERT_PKEY *key; /* ALWAYS points to an element of the pkeys array - * Probably it would make more sense to store - * an index, not a pointer. */ + /* + * ALWAYS points to an element of the pkeys array + * Probably it would make more sense to store + * an index, not a pointer. + */ + CERT_PKEY *key; /* The following masks are for the key and auth * algorithms that are supported by the certs below */ diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 8e5d8a0972..005d60a1a4 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -955,9 +955,11 @@ static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s) if ((s->next == NULL) || (s->prev == NULL)) return; if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail)) - { /* last element in list */ + { + /* last element in list */ if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) - { /* only one element in list */ + { + /* only one element in list */ ctx->session_cache_head=NULL; ctx->session_cache_tail=NULL; } @@ -970,12 +972,14 @@ static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s) else { if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) - { /* first element in list */ + { + /* first element in list */ ctx->session_cache_head=s->next; s->next->prev=(SSL_SESSION *)&(ctx->session_cache_head); } else - { /* middle of list */ + { + /* middle of list */ s->next->prev=s->prev; s->prev->next=s->next; } diff --git a/ssl/ssltest.c b/ssl/ssltest.c index 46b449cf71..80f5a28799 100644 --- a/ssl/ssltest.c +++ b/ssl/ssltest.c @@ -140,8 +140,8 @@ * OTHERWISE. */ -#define _BSD_SOURCE 1 /* Or gethostname won't be declared properly - on Linux and GNU platforms. */ +/* Or gethostname won't be declared properly on Linux and GNU platforms. */ +#define _BSD_SOURCE 1 #include #include @@ -155,8 +155,8 @@ #include "e_os.h" #ifdef OPENSSL_SYS_VMS -#define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on - VMS (at least with DECompHP C). */ +/* Or isascii won't be declared properly on VMS (at least with DECompHP C). */ +#define _XOPEN_SOURCE 500 #endif #include @@ -183,11 +183,13 @@ #endif #include -#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly - on Compaq platforms (at least with DEC C). - Do not try to put it earlier, or IPv6 includes - get screwed... - */ +/* + * Or gethostname won't be declared properly + * on Compaq platforms (at least with DEC C). + * Do not try to put it earlier, or IPv6 includes + * get screwed... +*/ +#define _XOPEN_SOURCE_EXTENDED 1 #ifdef OPENSSL_SYS_WINDOWS #include diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 7cce96a74d..fcf8bc937b 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -942,8 +942,11 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in return 0; } - if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */ + if (s->s3->client_opaque_prf_input != NULL) + { + /* shouldn't really happen */ OPENSSL_free(s->s3->client_opaque_prf_input); + } /* dummy byte just to get non-NULL */ if (s->s3->client_opaque_prf_input_len == 0) @@ -1216,12 +1219,20 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in return 0; } - if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */ + if (s->s3->server_opaque_prf_input != NULL) + { + /* shouldn't really happen */ OPENSSL_free(s->s3->server_opaque_prf_input); + } if (s->s3->server_opaque_prf_input_len == 0) - s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ + { + /* dummy byte just to get non-NULL */ + s->s3->server_opaque_prf_input = OPENSSL_malloc(1); + } else + { s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len); + } if (s->s3->server_opaque_prf_input == NULL) { @@ -1371,13 +1382,21 @@ int ssl_prepare_clienthello_tlsext(SSL *s) if (s->tlsext_opaque_prf_input != NULL) { - if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */ + if (s->s3->client_opaque_prf_input != NULL) + { + /* shouldn't really happen */ OPENSSL_free(s->s3->client_opaque_prf_input); + } if (s->tlsext_opaque_prf_input_len == 0) - s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ + { + /* dummy byte just to get non-NULL */ + s->s3->client_opaque_prf_input = OPENSSL_malloc(1); + } else + { s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); + } if (s->s3->client_opaque_prf_input == NULL) { SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); @@ -1465,8 +1484,11 @@ int ssl_check_clienthello_tlsext_early(SSL *s) } } - if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */ + if (s->s3->server_opaque_prf_input != NULL) + { + /* shouldn't really happen */ OPENSSL_free(s->s3->server_opaque_prf_input); + } s->s3->server_opaque_prf_input = NULL; if (s->tlsext_opaque_prf_input != NULL) @@ -1478,9 +1500,14 @@ int ssl_check_clienthello_tlsext_early(SSL *s) * of the same length as the client opaque PRF input! */ if (s->tlsext_opaque_prf_input_len == 0) - s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ + { + /* dummy byte just to get non-NULL */ + s->s3->server_opaque_prf_input = OPENSSL_malloc(1); + } else + { s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); + } if (s->s3->server_opaque_prf_input == NULL) { ret = SSL_TLSEXT_ERR_ALERT_FATAL; diff --git a/ssl/tls1.h b/ssl/tls1.h index 6eeb8dda6c..377e24212f 100644 --- a/ssl/tls1.h +++ b/ssl/tls1.h @@ -217,9 +217,12 @@ extern "C" { #define TLSEXT_TYPE_ec_point_formats 11 #define TLSEXT_TYPE_session_ticket 35 /* ExtensionType value from draft-rescorla-tls-opaque-prf-input-00.txt */ -#if 0 /* will have to be provided externally for now , - * i.e. build with -DTLSEXT_TYPE_opaque_prf_input=38183 - * using whatever extension number you'd like to try */ +#if 0 +/* + * will have to be provided externally for now , + * i.e. build with -DTLSEXT_TYPE_opaque_prf_input=38183 + * using whatever extension number you'd like to try + */ # define TLSEXT_TYPE_opaque_prf_input ?? */ #endif